1
Secure Medical Device Procurement
Session 223, February 14, 2019
Nick Sikorski, Manager, Deloitte & Touche LLP
2
Nick Sikorski, CISSP CSSLP
Manager
Cyber Risk Services
Deloitte & Touche LLP
Has no real or apparent conflicts of interest to report.
Conflict of Interest
Copyright © 2019 Deloitte Development LLC. All rights reserved.
3
I understand that any data or information provided by me as part of this poll may be used by Deloitte in
connection with this poll, other studies, or analyses performed by Deloitte or in connection with
services provided by Deloitte or otherwise.
I understand that any such data or information may be disclosed by Deloitte to related entities or other
third parties, including, without limitation, in publications, in connection with this poll or such studies,
analyses, or services, provided that such data or information does not contain any information that
identifies me or associates me with the responses I have provided to this survey.
I understand disclosure of such data or information may be required by law, in which case, Deloitte will
endeavor to notify me.
I understand that this poll and the poll results are the proprietary property of Deloitte, and I will keep
the poll results confidential, except as may be required by law.
Deloitte is not responsible for any loss sustained by any person who relies on the poll results.
I am permitted to respond to the polling questions pertaining to my company, including, without
limitation, in accordance with the policies of my company and its board of directors (or similar
governing body).
Release for answers to polling questions
Copyright © 2019 Deloitte Development LLC. All rights reserved.
4
Industry landscape
Foundational concepts to understand
Secure connected medical device procurement
Use case
Key takeaways
Q&A
Agenda
Copyright © 2019 Deloitte Development LLC. All rights reserved.
5
Analyze the connected medical device cybersecurity landscape and trends
Discuss the lack of security practices built into connected medical device
procurement
Discuss the steps involved in procuring a connected medical device
Define an approach to consider for reducing risk to patient safety and information
security
Learning objectives
Copyright © 2019 Deloitte Development LLC. All rights reserved.
6
Industry Landscape
Copyright © 2019 Deloitte Development LLC. All rights reserved.
7
Medical device ecosystem
A connected medical device, as defined by the FDA, communicates via a private network,
public Internet, or point-to-point connection or can be accessed in standalone mode via a
user or machine interface. Today, connected medical devices can be viewed as an
ecosystem of interconnectivity.
Copyright © 2019 Deloitte Development LLC. All rights reserved.
8
The rise of cyber risk in medical devices
A combination of environmental and industry factors reflect the changes seen in the
industry and factors that lead to security weakness reflect the changes seen in
organizations today contribute to increased cyber risk.
Copyright © 2019 Deloitte Development LLC. All rights reserved.
9
Medical device manufacturer update
Maturation
Understanding the need to secure devices
prior to fielding (e.g., technical security
testing, security risk assessment, etc.)
Exploring or implementing coordinated
vulnerability disclosure programs as a
result of working with security researchers
Establishing relationships with customers
and providing information in a standardized
format (i.e., Manufacturer Disclosure
Statement for Medical Device Security -
MDS2)
Areas for opportunity
Lacking postmarket security risk
management to identify and treat the risks of
fielded and legacy devices
Insufficient monitoring and responding to
security events proactively
Insufficient product security awareness and
training for product engineers and architects
designing medical devices
Device manufacturers have collectively come a long way over the past decade
to secure devices prior to fielding.
Copyright © 2019 Deloitte Development LLC. All rights reserved.
10
Healthcare delivery organization update
Maturation
Holding manufacturers accountable for
medical device security prior to procurement
Including and/or requesting security
questionnaires to be completed by device
manufacturers during procurement
While this is positive for each
individual hospital, device
manufacturers have the task of
populating each of these unique
questionnaires versus sending a
standardized questionnaire such as
the MDS2 form
Areas for opportunity
Lacking postmarket security risk management to
identify and treat risks
Insufficient monitoring and responding to security
events
Insufficient product security awareness and training
for security and clinical engineers
Inadequate headcount to address the scope of the
organization’s medical device portfolio
Lacking ownership of the security of connected
medical devices from acquisition through disposition
Healthcare delivery organizations (HDOs) understand the risk around medical
devices and many are starting down the road to secure devices procured.
Copyright © 2019 Deloitte Development LLC. All rights reserved.
11
Polling question #1
Q1. Who is accountable for securing of medical devices in your organization?
A. Clinical Engineering
B. Information Security
C. Nobody
D. Do not know
Source: https://healthitsecurity.com/news/4.4m-records-exposed-in-117-health-data-breaches-in-q3-2018
Copyright © 2019 Deloitte Development LLC. All rights reserved.
Polling Results: https://live.eventbase.com/polls?event=himss19&polls=5151
12
Foundational concepts to understand
Copyright © 2019 Deloitte Development LLC. All rights reserved.
13
Security and safety risk management relationship
A bi-directional relationship exists between security and safety risk and a process should
be in place detailing the procedure for separating but linking the two processes.
Source: The above figure and text have been extracted from AAMI TIR57: Principles for Medical Device SecurityRisk Management
When a risk control measure is introduced to a design, the design must be reassessed to determine if the
control measure introduces a new form of risk.
It should be recognized that there is a coupling between safety and security risk assessment processes, so
when control measures are introduced for one type of risk (e.g., safety), the manufacturer needs to assess the
impact on the other type of risk (e.g., security) and vice versa:
For example, the decision to add risk control measures for authentication might introduce risks that
the device cannot be accessed in an emergency.
The overall risk management process should identify those points of coupling and facilitate the assessment of
any newly identified source of risk is performed in both domains.
Copyright © 2019 Deloitte Development LLC. All rights reserved.
14
Pre-market medical device risk management
Security-by-design and privacy-by-design are fundamental to a mature Product Security
and Privacy Program™ as it is within these operational areas that security and privacy
are incorporated by default into device design and acquisition.
02
01
03
04
Integrate product security and privacy requirements
into device design (e.g., security-by-design, privacy-by-
design)
Conduct product security risk assessments and
privacy impact assessments to identify and treat risks
Perform robust product technical security testing
Apply product security and privacy processes to third-
party products, components, and service during
procurement
Perform security and privacy threat modeling (and
data flow diagraming) to understand risk within the larger
device ecosystem
05
Copyright © 2019 Deloitte Development LLC. All rights reserved.
15
Post-market medical device risk management
Security and privacy event handling is critically important to securely maintaining fielded
IoT products. Since cybersecurity and privacy are continuously evolving, new threats,
vulnerabilities, and knowledge should be collected and detected from a number of
sources.
02
01
03
04
Conduct active product security threat intelligence
Effectively perform ongoing, proactive product patch
management
Consistently handle product security and
privacy incidents
Proactively monitor for product vulnerabilities and manage
risks accordingly
Copyright © 2019 Deloitte Development LLC. All rights reserved.
16
External communications in the device lifecycle
Consistently and efficiently delivering and handling external medical device security and
privacy communications, including being actively engaged within the industry, is essential
to establishing and operating a mature Product Security and Privacy Program™.
02
01
03
04
Document and communicate product security
and privacy attributes such as cybersecurity bill
of materials
Consistently intake and respond to security and
privacy inquiries
Establish a mechanism for coordinated
vulnerability disclosure
Adhere to security and privacy package
requirements for regulatory bodies and
customers
Actively participate in information sharing
05
Copyright © 2019 Deloitte Development LLC. All rights reserved.
17
Medical Device Manufacturer: Product Security and
Privacy Program™
Copyright © 2019 Deloitte Development LLC. All rights reserved.
18
Polling question #2
Q1. How often does your organization include a medical device cybersecurity
evaluation during the selection decision phase of the procurement process?
A. < 25% of the time
B. 25% to 50% of the time
C. 50% to 75% of the time
D. 75% to 100% of the time
Source: https://healthitsecurity.com/news/4.4m-records-exposed-in-117-health-data-breaches-in-q3-2018
Copyright © 2019 Deloitte Development LLC. All rights reserved.
Polling Results: https://live.eventbase.com/polls?event=himss19&polls=5152
19
Secure connected medical device
procurement
Copyright © 2019 Deloitte Development LLC. All rights reserved.
20
Understanding the issues
Increasingly sophisticated connected medical devices can have major security, privacy,
and safety implications, which may result in significant impact to patients.
What proactive steps can HDOs take to secure the connected medical
devices they procure?
Why is security commonly overlooked when procuring medical devices?
Clinical requirements often precede and out weight security considerations
Complex procurement lifecycle involving multiple stakeholders and departments,
both internally and externally, thwart coordination and challenge timelines
Lack of awareness of medical device security practices as compared to traditional
information technology (IT) security
Increased level of effort required due to inconsistent traditional security controls
Shadow IT across the HDO with devices not funneled through procurement
?
Copyright © 2019 Deloitte Development LLC. All rights reserved.
21
Polling question #3
Q3. Do you think the FDA pre-market and post-market guidance will result in more
secure medical devices?
A. No - It will take more than guidelines
B. Maybe but will need buyers to demand compliance
C. Yes the guidelines are the right approach
D. Do not know
Source: Deloitte: Preparing for the inevitable: Bringing tools and process improvements to data breach notification
Copyright © 2019 Deloitte Development LLC. All rights reserved.
Polling Results: https://live.eventbase.com/polls?event=himss19&polls=5153
22
Understanding the procurement process
Below is an example of the management process of vendor medical device safety and
security across typical stakeholders.
Typical involved stakeholders:
Supply Chain, Legal, Information Security, Clinical Engineering
Conduct vendor-level
assessment
Phase 01
02
Conduct device-level
assessment
Phase 02
02
Integrate device security into
contracting
Phase 03
Key activities
Vendor security
questionnaire
Review and interviews
Key activities
Device security
questionnaire
Review and interviews
Security risk assessment
Security testing
Key activities
Contractual language
(e.g., Terms & Conditions)
Copyright © 2019 Deloitte Development LLC. All rights reserved.
23
Phase 1: Vendor security questionnaire
Leveraging a vendor questionnaire is critical to understand how the vendor views medical
device security and the processes in place to keep devices secure once fielded.
Gain a deeper understanding
of the following:
How the vendor views
medical device security (e.g.,
program vs. product)
How prepared the vendor is
to keep their medical device
secure once fielded
The maturity of security
processes applied to secure
the vendor’s medical devices
throughout their lifecycle
Importance
First and foremost, identify if vendor has an established
medical device security organization
If so, assess the organization against a leading practice
product security framework
Sample medical device security questions:
Does a product security policy exist?
Are product security design requirements established and integrated
into product design?
Are product security risk assessments and technical security testing
completed on products prior to fielding?
Are patch and vulnerability monitoring and management processes in
place to keep products secure once fielded?
Are formalized processes in place to intake inquires from external
parties and respond accordingly?
Do product engineers receive in-depth training to develop secure
products (e.g., secure coding)?
Sample high-level questions
Copyright © 2019 Deloitte Development LLC. All rights reserved.
24
Phase 1: Review and interviews
The remaining activities involved in the vendor-level assessment includes conducting
reviews of the questionnaire responses and interviews with stakeholders.
Review the responses of the vendor security questionnaire
Identify gaps against the identified security framework and the
associated level of risk
As appropriate, escalate risk to leadership for approval
Conduct vendor interviews
Gain greater insight and understanding into questionnaire responses
through follow-up discussions with the vendor as appropriate
(requesting evidence as needed)
Other activities
!
02
01
If the HDO concludes they would like to proceed with procurement, proceed
to Procurement Phase 2: Device Level Assessment
Copyright © 2019 Deloitte Development LLC. All rights reserved.
25
Phase 2: Device security questionnaire (Tier 1)
A vendor questionnaire should be used understand the security features included into the
device design and configured upon fielding.
Gain a deeper
understanding of the
following:
The security features and
deficiencies of the
connected devices and
services being procured
Importance
Publicly-available questionnaire
Source: https://www.himss.org/resourcelibrary/MDS2
Copyright © 2019 Deloitte Development LLC. All rights reserved.
26
Phase 2: Security risk assessment (Tier 2)
For devices deemed greater than (>) low risk, a security risk assessment should be
considered to better under the risk posed by the medical device to the HDO environment
and patients.
High-level overview of steps
Review the provided product security questionnaire and use the provided information as intake
to the device security risk assessment
01
HDO requests vendor to provide device documentation including, but not limited to:
02
Overview of the system
Hardware components
Architectural, network,
and data flow diagrams
Network information
Software components
Data assets and usage
Conduct follow-up interviews with the product development team (and product security team)
to answer any open questions following review of the device security questionnaire and
provided device documentation
03
Based off of information obtained from the vendor, document device security vulnerabilties and
conduct risk rating accordingly
04
Copyright © 2019 Deloitte Development LLC. All rights reserved.
27
Phase 2: Security testing (Tier 3)
The below graphic illustrates a methodology for conducting technical security testing of
connected medical devices as part of Phase 2. For devices deemed high risk, testing
should be considered.
Copyright © 2019 Deloitte Development LLC. All rights reserved.
28
Overview
The UL 2900 series of standards under the Cybersecurity
Assurance Program (CAP) provide a minimum set of security
requirements that developers of network connectable products
can adopt to establish a baseline of protection.
Many companies are now seeking CAP certification of their
products to demonstrate that they have consistently
implemented the minimum set of security controls required
Solving Industry Challenges
As part of the CAP certification process, UL performs both a
product level and organizational assessment for cybersecurity
controls.
Often times, companies find that their existing processes do
not meet the leading practice standards set by UL, causing
unforeseen delays in the certification process.
About UL
01
02
Phase 2: Security testing (Tier 3) (cont’d)
Underwriters Laboratories (UL) Cybersecurity Assurance Program (CAP) Certification
Readiness Program
Source: Underwriters Laboratories (UL)
29
Phase 3: Contract and on-board
Vendor hereby acknowledges that the product being procured
conforms to product security and privacy regulatory
requirements and industry leading practices; and
is up-to-date on the latest available security patches and
free from malware.
Vendor hereby acknowledges that they will
manage product security and privacy risk of the product
being procured to identify and detect cyber security
threats and vulnerabilities, protect users from risk (e.g.,
harm), and respond and recover from security and privacy
events and incidents as they arise;
monitor the procured product through the performance of
post-market surveillance in alignment with regulatory
requirements and industry leading practices; and
perform good cyber hygiene of the procured product to
keep it up-to-date on the latest available security patches.
Contract language to consider
01
02
Develop contract language with security incorporated with input from various appropriate
stakeholders and include vendor remediation plans for known vulnerabilities.
Copyright © 2019 Deloitte Development LLC. All rights reserved.
30
Polling question #4
Q4. Would you be open to adopting the Manufacturer Disclosure Statement for
Medical Device Security (MDS2) as your product level procurement
questionnaire?
A. No - It does not meet the needs we have as an organization
B. Maybe It could solve the problem but is not mature enough yet
C. Yes a completed MDS2 form would provide us with the information we need to
make an informed decision
Source: Deloitte: Preparing for the inevitable: Bringing tools and process improvements to data breach notification
Copyright © 2019 Deloitte Development LLC. All rights reserved.
Polling Results: https://live.eventbase.com/polls?event=himss19&polls=5154
31
Key takeaways
Copyright © 2019 Deloitte Development LLC. All rights reserved.
32
Key takeaways and lessons learned
Ensure the right people are engaged and have ownership of the process
The relevant medical device subject matter experts from the vendor’s product teams need to
be engaged to provide the requested information.
Leverage the procurement team to open dialogue with the vendor
Medical device manufacturers are more likely to fully engage in assessment collaboration
when procurement is involved in initiating the conversation.
Establish medical device secure procurement practices
Establish a process to integrate medical device security into the device procurement process,
including cooperation between key stakeholders across the organization.
Leverage industry available resources
Rather than developing and providing unique questionnaires to your device vendors, use
publicly-available industry resources (e.g., Manufacturer Disclosure Statement for Medical
Device Security MDS2).
Copyright © 2019 Deloitte Development LLC. All rights reserved.
33
Questions & Answers (Q&A)
Nick Sikorski, CISSP CSSLP
Manager
Cyber Risk Services
Deloitte & Touche LLP
Reminder to please complete online session evaluation!
Copyright © 2019 Deloitte Development LLC. All rights reserved.
34
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering
accounting, business, financial, investment, legal, tax, or other professional advice or services. This
presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any
decision or action that may affect your business. Before making any decision or taking any action that may
affect your business, you should consult a qualified professional advisor.
Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.
As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see
www.deloitte.com/us/about for a detailed description of our legal structure. Certain services may not be
available to attest clients under the rules and regulations of public accounting
Copyright © 2019 Deloitte Development LLC. All rights reserved.